LouAnna Notargiacomo

A model of atomicity for multilevel transactions

Data management applications that use multilevel database management system (DBMS) capabilities have the requirement to read and write objects at multiple levels within the bounds of a multilevel transaction. The authors define a new notion of atomicity that is meaningful within the constraints of the multilevel environment. They offer a model of multilevel atomicity that defines varying degrees of atomicity and recognizes that lower security level operations within a transaction must be able to commit or abort independently of higher security level operations. Execution graphs are provided as a tool for analyzing atomicity requirements in conjunction with internal semantic interdependencies among the operations of a transaction and rules for determining the greatest degree of atomicity are proved that can be attained for a given multilevel transaction. Several alternative transaction management algorithms that can be used to preserve multilevel atomicity are presented.<<ETX>>

Correctness criteria for multilevel secure transactions

The benefits of distributed systems and shared database resources are widely recognized, but they often cannot be exploited by users who must protect their data by using label-based access controls. In particular, users of label-based data need to read and write data at different security levels within a single database transaction, which is not currently possible without violating multilevel security constraints. The paper presents a formal model of multilevel transactions which provide this capability. We define four ACIS (atomicity, consistency, isolation, and security) correctness properties of multilevel transactions. While atomicity, consistency and isolation are mutually achievable in standard single-site and distributed transactions, we show that the security requirements of multilevel transactions conflict with some of these goals. This forces trade-offs to be made among the ACIS correctness properties, and we define appropriate partial correctness properties. Due to such trade-offs, an important problem is to design multilevel transaction execution protocols which achieve the greatest possible degree of correctness. These protocols must provide a variety of approaches to making trade-offs according to the differing priorities of various users. We present three transaction execution protocols which achieve a high degree of correctness. These protocols exemplify the correctness trade-offs proven in the paper, and offer realistic implementation options.

Security for the Common Object Request Broker Architecture (CORBA)

Over the last several years, there has been an emphasis on distributed client/server computing in business as well as government. A useful means of achieving this capability is through the use of object technology. Distributed object systems offer many benefits, such as downsizing and right sizing, resulting in a trend toward small, modular, commercial or government off-the-shelf components as a means of system development. Distributed object management standards, such as the Common Object Request Broker Architecture (CORBA) specification are aiding the integration process. One area of distributed object systems that has received little attention to date is security. Security is a difficult problem in traditional software systems, and adding distribution and use of object-oriented techniques just increases the complexity of the problem. The Object Management Group (OMG) is beginning to solicit proposals from vendors for handling security in a distributed object environment. This paper gives an overview of distributed object management and standards being specified by the OMG. It applies traditional security engineering analysis to CORBA and highlights some of the security function interdependencies among CORBA components.<<ETX>>

Merging Models: Integrity, Dynamic Separation of Duty and Trusted Data Management

One of the most important responsibilities of a database management system (DBMS) is maintaining the integrity of data. Traditional database integrity mechanisms have evolved in DBMSs to fulfill this need, including transaction management to maintain consistent results when requests execute concurrently and explicitly asserted integrity constraints to limit the values deemed legal. DBMSs also provide access controls that limit who is permitted to modify data. Despite these controls, however, DBMSs are still vulnerable to integrity violations due to users modifying data in unexpected ways or abusing their access authorizations for fraudulent or malicious purposes. Recent work in generalized integrity models, such as the Clark-Wilson model [Clark 1987, Clark 1988] and separation of duty models [Sandhu 1988, Badger 1989], provides new approaches for addressing these additional integrity needs. This paper interprets the Clark-Wilson model in the context of a DBMS, in general, and of a trusted relational DBMS, in particular. It presents a layered policy for Clark-Wilson integrity and dynamic separation of duty, that can augment the conventional database integrity capabilities of a commercial trusted DBMS and can coexist with its existing policies. Building on existing models, our dynamic separation of duty model defines a general control structure and dynamic authorization capabilities. Clark-Wilson integrity and separation of duty are realized in the policy as interpreted in terms of DBMS objects and their interrelationships.

An Investigation of Secure Distributed DBMS Architectures

The objective of this paper is to describe an architecture for a multilevel secure distributed database management system (SD-DBMS). This work was part of a project, funded by Rome Air Development Center (RADC), to design a multilevel secure (MLS) database management system (DBMS) capable of processing information at a minimum of three classification levels and/or categories. The SD-DBMS was designed in accordance with the Trusted Computer System Evaluation Criteria (TCSEC) requirements for a Class B3 trusted computer system [Cen85b].

Metadata and View Classification

The discussion during the metadata and view session centered on the proper classification rules to be applied to each metadata level and the relationship of the user’s operating level and the metadata level on the base data level.

Securely executing multilevel transactions

In this paper, we show how arbitrary multilevel transactions—transactions that have the ability to read and write data at multiple levels—can be executed using the inherently secure low-first algorithm. To this end, we combine a trusted caching facility with a multiversion timestamp ordering algorithm in a manner that is both secure and yields one-copy serializable histories.